Microsoft begins removing NTLM on Windows 11 24H2, Server 2025 already: what to expect

Microsoft has taken a significant step by officially starting the removal of NTLM (New Technology LAN Manager) authentication in its latest operating systems, including Windows 11 version 24H2 and Windows Server 2025. This decision, announced in October 2024, comes in response to the growing security concerns associated with NTLM.

With this change, Microsoft aims to enhance the security posture of its operating systems by encouraging users to transition to the more secure Negotiate protocol, which defaults to Kerberos authentication. This article will explore what users can expect from this transition and provide essential insights on how to adapt.

What is NTLM and why is Microsoft phasing it out?

NTLM is a Microsoft authentication protocol that has been in use since the early 1990s. It was designed to provide authentication for users in a Windows environment. However, as technology has evolved, so have the security threats associated with NTLM. NTLM is now considered outdated and insecure.

Microsoft's decision to phase out NTLM stems from various security vulnerabilities that have been identified over the years. Attackers can exploit these weaknesses to gain unauthorized access to systems, making it imperative for organizations to adopt more secure authentication methods.

Furthermore, the adoption of the Kerberos protocol, which offers improved security features such as mutual authentication and session key encryption, makes NTLM redundant. Transitioning to Kerberos is critical for enhancing overall security.

What changes can users expect with the removal of NTLM?

With the removal of NTLM, users can anticipate several significant changes in how authentication is handled within Windows 11 and Windows Server 2025. For one, user credentials will no longer be validated through NTLM, which means that systems will need to rely on other protocols.

• Transition to Negotiate protocol: Users will need to switch to the Negotiate protocol, which automatically selects the most secure method available, typically Kerberos.
• Impacts on legacy applications: Organizations using legacy applications that rely on NTLM may face challenges and need to implement updates or find alternatives.
• Enhanced security measures: This change will help mitigate risks associated with NTLM, leading to a more secure environment for users and data.

Overall, these adjustments are aimed at creating a more secure and modern authentication landscape within Microsoft’s ecosystem.

How to transition to the Negotiate protocol from NTLM?

Transitioning to the Negotiate protocol from NTLM involves several steps that organizations should follow to ensure a smooth migration. The process includes assessing current systems, updating configurations, and testing the new setup.

First, organizations must identify all applications and services that currently use NTLM for authentication. This assessment will help determine the scope of the transition and highlight potential challenges.

1. Update system settings to enable the Negotiate protocol.
2. Test applications in a controlled environment to ensure compatibility with Kerberos.
3. Implement user training to familiarize employees with the new authentication process.

By following these steps, organizations can effectively transition away from NTLM while minimizing disruptions.

What security risks are associated with NTLM?

NTLM has been associated with several security risks that make it a poor choice for modern authentication. Key vulnerabilities include susceptibility to pass-the-hash attacks, which allow attackers to exploit stolen hashes to gain unauthorized access to systems.

Additionally, NTLM does not provide encryption for authentication processes, leaving user credentials vulnerable to interception. This lack of security has prompted organizations to seek alternatives that offer better protection against data breaches.

By phasing out NTLM, Microsoft aims to address these critical security concerns and promote a safer computing environment. Using protocols like Kerberos significantly enhances security.

How does this impact Windows Server 2025 users?

Windows Server 2025 users will experience a direct impact from the removal of NTLM. As the deprecation of NTLM takes effect, users must adapt their authentication processes to align with the new security standards. This transition may require updates to server configurations and potential changes to enterprise applications.

Organizations that rely heavily on NTLM for internal applications must assess their systems and prepare for a migration to the Negotiate protocol. This shift is critical for maintaining security and compliance.

Additionally, it’s essential for IT departments to stay informed about Microsoft's security practices and the latest updates regarding authentication protocols to ensure a seamless transition.

What other features are being deprecated alongside NTLM?

Along with NTLM, Microsoft has also announced the deprecation of several other features that may impact users. One of the notable features is Windows Information Protection (WIP), which has been phased out as part of Microsoft's ongoing commitment to improve security.

• WIP deprecation: Organizations that previously relied on WIP for data protection will need to explore alternative solutions.
• Legacy protocols: Other outdated protocols may also face removal, necessitating further updates in security practices.
• Strengthened security policies: Microsoft is continuously enhancing its security measures, making it essential for organizations to stay updated.

As part of its evolution, Microsoft is encouraging users to adopt newer technologies that offer better security and compliance.

What should organizations do to prepare for this change?

Organizations must take proactive steps to prepare for the removal of NTLM and ensure a smooth transition. This preparation should include a comprehensive review of current authentication strategies and infrastructure.

First, organizations should assess their current use of NTLM and identify any applications or services that require updates. Next, they should establish a timeline for transitioning to the Negotiate protocol, including necessary adjustments to configurations and employee training.

• Implement testing phases: Before fully transitioning, organizations should conduct thorough testing to identify potential issues.
• Engage in employee training: Providing training for staff on the new authentication methods will help ease the transition.
• Monitor security practices: Keeping abreast of Microsoft's recommendations for security will help organizations stay compliant and protected.

By taking these measures, organizations can effectively navigate the changes brought by the removal of NTLM.

Related questions about the removal of NTLM

Is NTLM being deprecated?

Yes, Microsoft has officially announced the deprecation of NTLM as part of its security upgrade plans. This move is aimed at eliminating outdated authentication protocols and transitioning users to more secure methods.

Does Windows still use NTLM?

While NTLM has been a long-standing authentication method in Windows operating systems, its use is being phased out in favor of the Negotiate protocol, which primarily utilizes Kerberos. Organizations should prepare for this transition.

How do I disable NTLMv1 on Windows 11?

To disable NTLMv1 on Windows 11, you will need to access the Local Security Policy settings and navigate to the "Security Options" section. There, you can configure the settings to enforce NTLMv2 only, ensuring that older, less secure versions are no longer used.

Why disable NTLM authentication?

Disabling NTLM authentication is crucial due to the security vulnerabilities associated with the protocol. By eliminating NTLM, organizations can reduce their exposure to potential attacks and enhance their overall security posture. Transitioning to more secure protocols like Kerberos offers significant benefits in protecting sensitive data.